CPSEC-20: NCM Account Automation assigns System Admin role to users on POD
January 18, 2019
Summary: NetCloud Manager (NCM) system administrator was been changed without notifying the client system administrator. A defect was released to production that allowed certain provisioning services to modify an existing account’s System Administrator to match the user listed as the ‘Shipping Contact’ on a Purchase Order processed by Operations.
Identified: Benjamin A. Fischer, Indiana Department of Transportation.
Mitigation: A code fix within Accounts Service and Provisioning Service were deployed to production. Provisioning Service would always check for the existence of an account before attempting to provision System Administrators or any account users. Accounts Service would never allow additional users to be created on existing accounts during the Order/Subscription provisioning flow.
Knowledge Article (Requires login to view article.)